# Sign images

Image signing is a security process that involves adding a cryptographic signature to a digital image. This signature serves as a unique identifier, verifying the authenticity, integrity, and origin of the image. Without image signing, there is no assurance of an image’s integrity or trusted origin, leading to potential security breaches and data loss.

Follow these steps to sign the images.

1. You can sign the images using SecTools V2. Different signing methods and secure image functionality are available. For more information see [SecTools V2: Secure Image User Guide](https://docs.qualcomm.com/bundle/80-NM248-12/resource/80-NM248-12_REV_AB_SecTools_V2__Secure_Image_User_Guide.pdf).
2. You can generate the keys and certificates using a local signer. For more information, see [Generate local (insecure) root key and certificate](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-local-insecure-root-key-and-certificates.html#generate-local-insecure-root-key-and-certificates).
3. To sign a single image, run the following command, where `tz.mbn` is used as an example.

> 
> 
> Note
> 
> 
> You can replace the values of oem-id “**0x1**” and oem-product-id “**0xabcd**” according to your requirement.

<meta>/common/sectoolsv2/ext/linux/sectools secure-image --sign /path/to/tz.mbn --image-id=TZ --security-profile <meta>/common/sectoolsv2/<chipset>_security_profile.xml --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile ./signed_images_out/tz.mbn
        Copy to clipboard

    The following is a sample command for QCS9075/QCS9100.

> 
> 
> <meta>/common/sectoolsv2/ext/linux/sectools secure-image --sign /path/to/tz.mbn --image-id=TZ --security-profile <meta>/common/sectoolsv2/lemans_security_profile.xml --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile ./signed_images_out/tz.mbn
>         Copy to clipboard
4. For the images that should be split, use the `--pil-split` option.
5. For signing the complete metabuild, use the following commands.

> 
> 
> ./sectools metabuild-secure-image --image-finder /prj/qct/asw/crmbuilds/snowcone/builds901/PROD/QCM6490.LE.1.0.r1-00186-STD.INT.SL-1/common/build/app/image_finder.py --sign --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --chipset KODIAK --outdir meta_signing_output/
>         Copy to clipboard

    For more information, see [SecTools V2: Metabuild Secure Image User Guide](https://docs.qualcomm.com/bundle/80-NM248-17/resource/80-NM248-17_REV_AB_SecTools_V2__Metabuild_Secure_Image_User_Guide.pdf).

Note

The *SecTools* guides are available to licensed users with authorized access.

## Next steps

- To verify that the software hasn’t been tampered with and is from a trusted source, see [Generate signed sec.elf image](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-signed-sec-elf-image.html#generate-signed-sec-elf-image)
- To write a complete software image to a storage device that ensures that the device is updated, functional, secure, and optimized, see [Flash images](https://docs.qualcomm.com/doc/80-70018-11/topic/flash-the-images.html#flash-the-images).

Last Published: Apr 10, 2025

[Previous Topic
Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-sha-384-hash-for-rsa-and-ecdsa.md) [Next Topic
Generate signed sec.elf image](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-signed-sec-elf-image.md)